(ISC)2 and U.S. State Department Unveil New Cert

The International Information Systems Security Certification Consortium, (ISC)2, recently announced the release of its new Certification and Accreditation Professional (CAP) credential. The CAP was developed in conjunction with the U.S. Department of State, which has already certified a few dozen of its own employees through the program, and is currently available worldwide alongside all other (ISC)2 credentials.

“The ideal candidate should have experience, knowledge and skills in IT security, information assurance, information risk management, certification and system administration,” Tony Baratta, CISSP-ISSAP, ISSMP, SSCP and director of certification and IT at (ISC)2. “It pretty much runs the gamut of people in the information assurance business.”

The certification and accreditation (C&A) sphere revolves around evaluating information systems and ensuring that they have adequate security to handle the levels of risk in operations. Provisions laid out in the U.S. Federal Information Security Management Act (FISMA) deal specifically with the process used to review the risks and security requirements of these systems. “I think (CAP) was developed more in line with the recognition that the formal process needs to be further formalized by showing that people have this level of competency,” Baratta said. “The ideal way to do that is by exam. Like all exams, this implies a minimum level of competency in a particular area. This ensures that people who hold this credential have that minimum level of competency and understanding and experience within that discipline.”

The collaboration with the State Department was the result of a suggestion that came from (ISC)2’s government advisory group, Baratta said. “(ISC)2 has a number of advisory groups. One of them is the government advisory group here in the U.S. The government advisory board came to us with a recommendation because they felt that it was important to the information security business to have people prove that they know certification and accreditation. They brought it to our attention. We took a look at it and went back and made some recommendations.”

When they reconvened and discussed the possibility of certification, the State Department’s representative stepped forward and agreed to sponsor the initiative. “The State Department provided the subject-matter experts, people who are knowledgeable and experienced in the field,” Baratta said. “We provided our exam development expertise. They gave us the information that needed to go into the job-task analysis, and we basically provided the expertise to help develop an exam that’s not only good, but also defensible, in testing industry terms.”

Although it was developed with substantial help from the public sector, the CAP is not limited to candidates from government agencies and departments, he said. “It will have broader application. We believe that any regulated industry would want to be able to show that someone has a minimal level of competency. Obviously, since the State Department sponsored this, they would be the first people that would take advantage of an exam of this nature.”

As with all (ISC)2 certifications, CAP certificants must earn 60 hours of continuing education credits every three years, pay annual maintenance fees and abide by the (ISC)2 Code of Ethics. It also was built consistent with the ISO/IEC 17024 standard. “That’s the one we basically march to,” Baratta said. “All of our exams, this one included, are developed by the same standard. That’s another reason we believe this will have domestic and international appeal.”